sync: protect unlocked access to fence status

Fence status is checked outside of locks in both sync_fence_wait and
sync_fence_poll.  This patch adds propper barrier protection in these
cases to avoid seeing stale status.

Change-Id: I9d8b6ce6accb415e797df58068a1ccd54e6be445
Signed-off-by: Erik Gilling <konkers@android.com>

diff --git a/drivers/base/sync.c b/drivers/base/sync.c
index 82c317ab28a347b74f7b6fedf5a871859e2517ef..f05b708b6c857a6f25c32f3bd8ec8bb3c2a54732 100644 (file)
--- a/drivers/base/sync.c
+++ b/drivers/base/sync.c
@@ -555,6 +555,16 @@ int sync_fence_cancel_async(struct sync_fence *fence,
 }
 EXPORT_SYMBOL(sync_fence_cancel_async);
 
+static bool sync_fence_check(struct sync_fence *fence)
+{
+       /*
+        * Make sure that reads to fence->status are ordered with the
+        * wait queue event triggering
+        */
+       smp_rmb();
+       return fence->status != 0;
+}
+
 int sync_fence_wait(struct sync_fence *fence, long timeout)
 {
        int err = 0;
@@ -562,7 +572,7 @@ int sync_fence_wait(struct sync_fence *fence, long timeout)
        if (timeout > 0) {
                timeout = msecs_to_jiffies(timeout);
                err = wait_event_interruptible_timeout(fence->wq,
-                                                      fence->status != 0,
+                                                      sync_fence_check(fence),
                                                       timeout);
        } else if (timeout < 0) {
                err = wait_event_interruptible(fence->wq, fence->status != 0);
@@ -629,6 +639,12 @@ static unsigned int sync_fence_poll(struct file *file, poll_table *wait)
 
        poll_wait(file, &fence->wq, wait);
 
+       /*
+        * Make sure that reads to fence->status are ordered with the
+        * wait queue event triggering
+        */
+       smp_rmb();
+
        if (fence->status == 1)
                return POLLIN;
        else if (fence->status < 0)